Information infrastructure departments around the world jumped into action on Friday 12 May to protect their businesses against the latest cyberattack, WannaCry. According to media reports, this Trojan ransomware infected over 200 000 computers in over 150 countries. The hackers took users’ files hostage and demanded between $300 and $100 000 through bitcoin to release these files.
This was the latest in corporate cyberattacks. There have been other devastating cyberattacks in the past. Some have been more targeted likeYahoo where 500 million clients’ information was stolen including email address and passwords and US retailer, Target losing 40 million credit and debit card accounts of their customer in 2013.
According to the 2016 Cost of Data Breach Study: Global Analysis report by IBM and Ponemon Institute, a data breach costs on average of $4 million for an organisation, this is a 29% increase in cost since 2013. The study surveyed 383 companies across 12 countries. Most concerning, the research has found that organisations in South Africa and Brazil are most likely to have a material data breach involving 10 000 or more records.
In the age where knowledge and information is currency, where organisations will soon be subject to regulations such as the Protection of Private Information Act in South Africa, General Data Protection Regulation in Europe, and where organisations are collecting huge amounts of data that assist them to serve their clients better, cyber risk insurance is becoming integral not only for risk management but also for good corporate governance.
Jaco Oosthuizen, chief exponential officer at Exponential Ventures says the “King 4 report on corporate governance has also recognised the advent of the fourth industrial revolution and the central role that technology plays in revolutionising businesses, societies, and transforming products, services and business models. There is no doubt that all reasonable and appropriate steps should be taken to protect the information and technology in a business. But what happens when there is a breach and the organisation is exposed to physical and financial damage as well as business interruption that threaten business continuity?”
According to a report produced by UK-based cultivators of change Anthemis Group, cyber risk insurance is relatively new compared to other insurance sectors. In fact, the first dedicated policies appeared in the US in the late 1990s and targeted privacy/security liability issues arising with the growing use of the internet. Today, the cyber insurance market remains relatively concentrated, with three insurers (AIG, Chubb and XL Catlin) controlling around 45% of the market in the US.
However, according to Vica Manos, director at Anthemis Group, “the cyber insurance space is now evolving rapidly driven by the advent of data science and technology, and the resulting emergence of specialist cyber technology companies that focus on the SME market.” In fact, with annual premium growth expected to remain at 15% over the next five to 10 years, cyber risk is one of the few insurance markets not challenged by stagnant or decreasing premiums, attracting the attention of insurers and reinsurers alike.
Who is using cyber risk insurance?
Anthemis Group reports that comprehensive cyber risk insurance policies are currently mostly used by big corporations. The current process of using a consultancy firm to perform a security benchmarking process from an insurance perspective and to understand the corporation needs in terms of protection is a costly exercise which also requires extensive internal cyber knowledge. This is prohibitive for smaller organisations.
“Startups that are working on filling this very gap have started to emerge. Propositions such as ThreatInformer and Zeguro help the small and medium sized enterprise market to access much needed cyber risk insurance policies. They are able to conduct automated comprehensive security assessments, providing an unprecedented level of detail to insurers and brokers in a cost-efficient manner, helping them better understand the risk and serve a segment that was previously priced out of the market,” says Manos.
How is cyber risk insurance provided?
Carlo Biggio, Associate at Anthemis Group, splits the cyber risk insurance sector because of its intertwined nature in the following three categories: cyber risk modelling platforms; cyber risk assessment with insurance applications and cyber risk assessment.
- Cyber risk modelling platforms are those companies that use tools to model and price cyber insurance policies, these tools require an adequate record of previous cyber-related losses and significant mathematical capabilities to develop them
- Cyber risk assessment with insurance applications are companies who run assessments for organisations and produce reports in a digestible format for insurance brokers/ companies, helping the latter underwrite cyber risks better
- Cyber risk assessment are companies that use platforms which identify the various information assets that could be affected by a cyberattack (such as hardware, systems, laptops, customer data, intellectual property, etc.), together with assessing the various risks that could affect those assets
What are some of the challenges providers of cyber risk insurance are facing?
The Anthemis report outlines the following challenges for the growth of cyber risk insurance
Cyber expertise - the very nature of cyber risks commands highly specialised professionals to both assess and underwrite risks, which will require companies to either collaborate/acquire relevant cyber security firms or develop internal capabilities
Traceability and cooperation: cyber threats are not as easily identifiable as physical threats. Companies sometimes may not even know that they have been attacked and therefore cannot properly collect information about the incident. In addition, corporations might be reluctant to publicise breaches and share details because of the reputational effect of admitting security failures, potential impact on future sales, and a desire not to attract further attacks
Data availability: The absence of a commonly accepted framework to capture information about cyber incidents exacerbates this situation
Uncertainty of sources of exposure: potential for unknown cyber threats creates significant ambiguity around the underlying sources of exposure, especially since these may be different for regular data/IT security breaches compared with catastrophic cyber events
Ever-evolving risks: even with detailed information about cyber-related losses and the underlying factors that gave rise to them, past events may not necessarily be a good guide to the future. The risk is constantly evolving with new actors, attack methods and technologies coming into play, making it extremely difficult for firms to understand and monitor their exposure.
Cyber risk modelling: the nature of cyber risks presents a unique set of challenges. The frequency and severity of cyber events as well as their co-dependence are not easy to establish, making it difficult to assess potential aggregate losses.
SME policy take-up: although SMEs are targeted everyday by cyber threats, it is unlikely that in the short-term they will be a major driver for growth in the industry. Brokers need to convince their clients of the need to buy comprehensive cyber cover, not currently mandatory, which can be expensive and with limits that rarely exceed $500 million. This is because the current status of the industry does not allow for competitive cyber insurance prices in the SME segment; this is bound to change as the industry evolves but is expected to remain a challenge in the short term
What does the future look like?
Manos says, “The holy grail of insurance is quantifying the extent of potential losses and estimating the probability of those occurring. In cyber insurance, this is far more complex than it sounds, as the very nature of the risk keeps evolving at speed. New ways of thinking are needed in two areas: First, probabilistic and adaptive AI-driven cyber risk models are required. Second, these models demand appropriate datasets to be chosen, collected and presented in a consistent and reliable manner. This, today, remains a challenge.”
“Exponential Ventures has been in extensive discussions with Anthemis to find solutions not only for the South African market (identified as one of the most vulnerable countries) but for the 15 other countries, and the broader global market. Financial Wellness drives us to invest in startups that have the potential to help us achieve this for our clients and stakeholders and cyber risk insurance is becoming an important component in this journey.” concludes Oosthuizen.